Sign In
Register
Help
Hi everyone!
I am building a user profile page. My database has been set up. I want to let users to change their pass word in their profile. Can anyone provide a PHP script for doing this? Thanks!
ken.
Page 1 of 1
Change password PHP Script
Rate Topic:
MultiQuote
#2
legionary 
- Forum Newcomer
-
- Group: Members
- Posts: 19
- Joined: 12-July 08
- Gender:Male
- Experience:Advanced
- Area of Expertise:Designer/Coder
Posted 13 December 2008 - 09:22 PM
Ken Lui, on Dec 13 2008, 02:00, said:
Hi everyone!
I am building a user profile page. My database has been set up. I want to let users to change their pass word in their profile. Can anyone provide a PHP script for doing this? Thanks!
ken.
I am building a user profile page. My database has been set up. I want to let users to change their pass word in their profile. Can anyone provide a PHP script for doing this? Thanks!
ken.
Assuming you have a database set up with a table called 'users' with fields 'id', 'username' and 'password'.
Also assuming you have a form set up with the inputs "old password", "new password" "confirm new password" which posts the id of the user you want to change back to itself.
// get user id posted by the form back to itself
$userid = $_POST['id'];
$query = "SELECT * FROM users where id=" . $userid;
$result = mysql_query($query);
$r=mysql_fetch_array($result);
// gets the old password from the database
$oldpassword=$r["password"];
// check if form has been posted
if (isset($_POST['formPassword']))
{
// if the old password matches what the user entered and the two new passwords match
if((md5($_POST["txtOldPassword"] == $oldpassword)) &&
($_POST["formPassword"] == $_POST["formConfirmPassword"])) {
include 'config.php';
$sql = "UPDATE users SET password='" . md5($_POST['formPassword']) . "' WHERE username=" . $userid;
$result = mysql_query($sql);
print "Success";
}
else {
print "Error";
}
}
#3
Living
- Forum Newcomer
-
- Group: Members
- Posts: 5
- Joined: 29-October 08
- Experience:Nothing
- Area of Expertise:Designer
Posted 15 December 2008 - 05:59 AM
Hi
Now let us collec all the form posted data of the user
$todo=$_POST['todo'];
$password=$_POST['password'];
$password2=$_POST['password2'];
Now let us check the data and sanitize the data entered by user by using mysql_real_escape_string function
if(isset($todo) and $todo=="change-password"){
$password=mysql_real_escape_string($password);
Now we will set the flags for validation of the variables. Please note that we have used limited validation here and you can go for more checking as per your requirements. ( like allowing only numbers or chars in the password etc )
$status = "OK";
$msg="";
After this we will see that our entered password is not less than 3 char and more that 8 char length.
if ( strlen($password) < 3 or strlen($password) > 8 ){
$msg=$msg."Password must be more than 3 char legth and maximum 8 char lenght<BR>";
$status= "NOTOK";}
Now let us check wheter both the passwords are equal or not
if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}
Now if our validation is ok then we will go for updation sql and if validation is not ok then we will display the error message. In our query we are using sql update statement and based on the success of the sql update statement we can display the message. Here is the code for the updation of the member table.
if($status<>"OK"){
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onclick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update plus_signup set password='$password' where userid='$session[userid]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>";
}
}
Now let us collec all the form posted data of the user
$todo=$_POST['todo'];
$password=$_POST['password'];
$password2=$_POST['password2'];
Now let us check the data and sanitize the data entered by user by using mysql_real_escape_string function
if(isset($todo) and $todo=="change-password"){
$password=mysql_real_escape_string($password);
Now we will set the flags for validation of the variables. Please note that we have used limited validation here and you can go for more checking as per your requirements. ( like allowing only numbers or chars in the password etc )
$status = "OK";
$msg="";
After this we will see that our entered password is not less than 3 char and more that 8 char length.
if ( strlen($password) < 3 or strlen($password) > 8 ){
$msg=$msg."Password must be more than 3 char legth and maximum 8 char lenght<BR>";
$status= "NOTOK";}
Now let us check wheter both the passwords are equal or not
if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}
Now if our validation is ok then we will go for updation sql and if validation is not ok then we will display the error message. In our query we are using sql update statement and based on the success of the sql update statement we can display the message. Here is the code for the updation of the member table.
if($status<>"OK"){
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onclick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update plus_signup set password='$password' where userid='$session[userid]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>";
}
}
#4
Connetu_C
- Advanced Member
-
- Group: Members
- Posts: 317
- Joined: 12-December 08
- Gender:Male
- Location:London, UK
- Experience:Advanced
- Area of Expertise:Web Developer
Posted 15 December 2008 - 05:12 PM
The second method suggested doesn't check if the old password entered is in fact correct, which is a security loophole, nor store them in hashed form to hide the plain-text password. The first method is much better, but does make two SQL queries where really only one is required. After setting up the database connection, the only code you should need to run for this (adapted from legionary's example) is:
I've assumed you're using a numerical $userid here. The numeric check + MySQL escaping avoid SQL injection exploitations. The usual disclaimer that this isn't tried and tested applies...
$userid=$_POST['id'];
$newpassword=$_POST['newpw'];
/* Sanity check */
if(!isnumeric($userid) || $newpassword !== $_POST['confpw'] || strlen($newpassword) < 8) {
// Error
exit();
}
$oldpassword=mysql_real_escape_string($_POST['oldpw']);
$newpassword=mysql_real_escape_string($newpassword);
mysql_query("UPDATE users SET password=md5('$newpassword') WHERE id=$userid AND password=md5('$oldpassword')");
if(mysql_affected_rows() > 0) {
/* In fact, it should be == 1 */
// Success
} else {
// Failed
}I've assumed you're using a numerical $userid here. The numeric check + MySQL escaping avoid SQL injection exploitations. The usual disclaimer that this isn't tried and tested applies...
Charles. (LinkedIn profile)
Sun Certified Web Component Developer for Java EE, PHP, C/C++, (X)(HT)ML/CSS, SQL, Linux administrator.
Operations Director, ConnetU Internet :: Custom managed hosting solutions: websites, servers, virtualisation, consolidation, network monitoring and complete software support with bespoke programming.
Sun Certified Web Component Developer for Java EE, PHP, C/C++, (X)(HT)ML/CSS, SQL, Linux administrator.
Operations Director, ConnetU Internet :: Custom managed hosting solutions: websites, servers, virtualisation, consolidation, network monitoring and complete software support with bespoke programming.
Page 1 of 1